Copyright © 2009 Open Geospatial Consortium, Inc. 103 has influence to all clients that are subscribed to that particular alert. Tampering the InsertSensor request of the SOS is effective to all clients as he SOS cannot provide offerings for the sensor.

9.8.3 Risk discussion

The opening questions is: How long can an attacker exercise attacks before he gets unveiled and how many attacks can an attacker exercise and how many succeeding attacks can an attacker undertake before he gets unveiled?Exercising attacks always carries a certain risk for the attacker to be unveiled. Depending on the kind of the attack and its affect on the asset and its effectiveness, the potential to be unveiled can be determined by the following factors: Does the exercising of an attack require the tampering of the underlying network as it is relevant to attacks leveraging Man-in-The-Middle or ARP spoofing. In these cases, it is very likely that the adversary cannot exercise too many attacks, as he must expect the unveiling at almost any time. For attacks that can be carried out by just executing the service Adversary’s client can execute SS it is much harder for the network admin to differentiate between a normal request and an attack. For a certain attack to succeed, how many other requests must be exercised successfully. The higher that number, the more likely it is that the attacker gets unveiled and suspended from the network, before the actual devastating attack can be exercised. All attacks that are related to espionage typically carry less risk to be unveiled than attacks that are related to sabotage. Therefore attacks that do not result in a change of the asset or its state are perhaps less risky than attacks that affect the asset and is also be effective to more than one user.

9.8.4 Overall Rating

In the context of this ER, the overall rating of an attack shall reflect the likelihood that an attack succeeds, its impact and the risk involved for that attacker to get unveiled. To estimate an overall rating seems almost impossible, taking under consideration that the reason why the attacker wants to exercise might vary extremely. However, we can perhaps say that it is proportional to the likelihood that the attack succeeds times the impact divided by number of the attacks potentially required to succeed. But also, the selection of appropriate attacks might still depend on the situation and the context and therefore be different from that rule of thumb. However, it is possible to say that the attacker is probably favorable to attacks that do not require network tampering, do not require information gathering – at least not from exercising other attacks – and have a high impact. In that sense, all transactional operations of a service are ―interesting‖ as they carry the potential with high impact, if the adversary is up to sabotage. 104 Copyright © 2009 Open Geospatial Consortium, Inc.

9.8.5 Attack suitability discussion

Which kinds of attacks provide the most flexibility for the attacker to reach the desired goal? In case has to make the adversary make his mind up which attack to exercise in order to succeed and reach the desired goal. This is in particular important if different options exist but with different likelihood and involved risk to get unveiled. In addition to that, the attacker has to make his mind up which attack is suitable to reach the desired goal. Attacks, leveraging the Man-In-The-Middle cause provide in general the maximum flexibility as they can modify the request from the user client to the service and the response going back. Certainly, if it requires to modify the request as the attack aims at changing the asset stored at the service, the adversary has no choice. But if the aim is to provide tampered data to the client, the adversary can exercise an attack that modified the request or the response In that respect, the attacker can categorize the possible attacks in two categories: Modifications to the service response Attacks based on modification of services responses can be tampered in any respect so long the result is still acceptable to the client and the user is not suspicious about the response. gives more flexibility over With modification of the response, the adversary can change almost anything to influence the user in any desired way. Modifications to the service request Attacks based on modification of the service request are less flexible, as the response still comes from the service. So the variety of the responses is limited by the processing semantics of the service. Copyright © 2009 Open Geospatial Consortium, Inc. 105 10 Introduction to relevant Security Standards As discussed earlier, many different requirements exist that need to be met in order to secure the Sensor Web architecture to be used in the intelligence domain. As illustrated in the section ―Approach‖, Message-Level-Security seems to be an extremely promising security foundation towards accreditation. The following figure lays out the different existing security standards draft standards and recommendation that can be used to implement Message-Level-Security in an interoperable way. The figure also shows standards that can be used to secure conversation between network-endpoints, applying security on the Binding- and Network-Layer. Figure 5: Security Standards Overview excerpt The following sections of this document introduce different standards, draft standards, recommendations and other literature that defines the realization of security requirements for the Network Layer and Message Layer. Both can be applied independent from each other or in combination, depending on the overall architecture and requirements.

10.1 Standards for securing Communication on the Network Layer